CVE-2014-3248

NameCVE-2014-3248
DescriptionUntrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
facter (PTS)bullseye3.14.12-1fixed
bookworm4.3.0-2fixed
sid, trixie4.8.0-1fixed
hiera (PTS)bullseye3.2.0-2.1fixed
bookworm3.10.0-1fixed
sid, trixie3.12.0-1fixed
mcollective (PTS)bullseye2.12.5+dfsg-1fixed
bookworm2.12.5+dfsg-1.1fixed
puppet (PTS)bullseye5.5.22-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
factersource(unstable)2.0.1-1low
hierasource(unstable)1.3.4-1low
mcollectivesource(unstable)2.5.2+dfsg-1low
puppetsource(unstable)3.7.0-1low
ruby-hierasource(unstable)(unfixed)low

Notes

[wheezy] - puppet <no-dsa> (Minor issue)
[squeeze] - puppet <no-dsa> (Minor issue)
[wheezy] - ruby-hiera <no-dsa> (Minor issue)
[wheezy] - facter <no-dsa> (Minor issue)
[squeeze] - facter <no-dsa> (Minor issue)
[wheezy] - mcollective <no-dsa> (Minor issue)
http://puppetlabs.com/security/cve/cve-2014-3248
problem in combination with ruby <= 1.9.1
Search for package or bug name: Reporting problems